Final Week to Get a MacBook Air or Surface Pro 7 with Online Training - Best Offers of the Year!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #11

February 8, 2019

Install Apples iOS 12.1.4 Update Now! German Regulators Prohibit Facebook From Merging User Data; Reverse Engineer Finds Decent Security Baked Into Smart Sprinkler Controller


SANS NewsBites                 Feb. 8, 2018                Vol. 21, Num. 011



  Apples iOS 12.1.4 Update Includes Fix for FaceTime Bug; Act Soon - 2 Already Exploited

  German Regulators Prohibit Facebook From Merging User Data Without Consent

  Reverse Engineer Examined a Smart Sprinkler Controller and Found Pretty Decent Security Baked In


  Airline eTicket Bugs Expose Customer Data

  Chinas APT10 Hacking Group Targeted Managed Service Provider, Law Firm

  South African Eskom Power Company Data Breach

  Senator Asks Census Bureau to Answer Questions About Cost, IT Oversight, and Disaster Recovery

  Houston Cyber Exercise Reveals Questions About Coordination and Jurisdiction

  Vendor Allegedly Assaulted Researcher After Vulnerability Disclosure

  Chrome Password Checkup Extension Warns Users When Credential Pairs Have Been Leaked

  Microsoft Exchange Flaw

  Androids February Security Bulletin

  Report: DOD Red Teams Are Overworked and Lack Time to Develop New Tools




-- SANS 2019 | Orlando, FL | April 1-8 |

-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 |

-- SANS Baltimore Spring 2019 | March 2-9 |

-- SANS London March 2019 | March 11-16 |

-- SANS San Francisco Spring 2019 | March 11-16 |

-- SANS Secure Singapore 2019 | March 11-23 |

-- SANS Munich March 2019 | March 18-23 |

-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 |

-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 |

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive course. Offer ends February 20.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

***************************  Sponsored By SANS   ****************************

Cyberthreat intelligence is critical to National Intelligence. Check out Deb Radcliffs newest blog here:




--Apples iOS 12.1.4 Update Includes Fix for FaceTime Bug; Act soon - two already exploited

(February 7, 2019)

Apple has released an update for its iOS mobile operating system that includes a fix for the flaw in FaceTime Group that could let callers eavesdrop on and view call recipients before the call is answered. Apple disabled Group FaceTime last week after learning of the issue. The newest version of iOS is 12.1.4.

[Editor Comments]

[Ullrich and Honan] While highly publicized, the FaceTime bug is not the most critical bug fixed with this update. Group Facetime has been disabled by Apple for vulnerable versions of iOS, preventing exploitation. However, this update fixes two additional vulnerabilities unrelated to FaceTime that were reported to Apple by Googles Project Zero. According to Google, these vulnerability have already been exploited.

[Neely] Apple also released OS X 10.14.3 Supplemental Update as well as iOS 12.2 Public Beta 2 to fix the Group FaceTime bug on those systems. The feature will remain disabled in older iOS and OS X versions. Adding a device without the update to a FaceTime call, Group or two party, will terminate the entire call.

Read more in:

9to5mac: Group FaceTime server restored following iOS 12.1.4 release, feature disabled on older versions

ZDNet: Apple releases iOS 12.1.4, fixes iPhone FaceTime spying bug

Wired: Go Update IoS Right Now to Fix That Very Bad FaceTime Bug

Ars Technica: Apple pushes fix for FacePalm, possibly its creepiest vulnerability ever About the security content of iOS 12.1.4


--German Regulators Prohibit Facebook From Merging User Data Without Consent

(February 7, 2019)

German regulators have forbidden Facebook from combining user data from its different platforms (such as Instagram and WhatsApp) without explicit user permission. The decision from Germanys Bundeskartellamt also forbids Facebook from combining user data with information from third-party sources without user consent. Bundeskartellamt president Andreas Mundt notes that an obligatory tick on the box to agree to the companys terms of use is not an adequate basis for such intensive data processing. The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the users choice cannot be referred to as voluntary consent.

[Editor Comments]

[Pescatore] This is an important beachhead for making advances in privacy. Facebook, Google and a few other big players own multiple on-line services and their terms of services generally mean if you stay logged into one of them, you stay logged into all of them. Since most people tend to stay logged into email services, like Gmail and social networks like Facebook, that often means they are always logged into everythingand their information across everything is tracked, correlated and sold without most of them understanding that staying logged in to Gmail means every Google search you do is correlated to what you said in email. The counter argument is always well, that is what keeps things free on the internet. Attackers dont charge to breach databases eithertricking people into giving up their information in the name of free services does not make it right.

[Honan] GDPR requires that consent must be freely given. Article 7 (4) says When assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. In other words, an individual should not be required to give their consent as a pre-condition to gain access to a service, unless it is necessary for that service. More detailed guidance on how you consent under GDPR should be managed is available from the UKs Information Commissioners Office at What is valid consent?

Read more in:

Bundeskartellamt: Bundeskartellamt prohibits Facebook from combining user data from different sources

Bundeskartellamt: Background information on the Bundeskartellamts Facebook proceeding

ZDNet: Facebook broad data collection ruled illegal by German anti-trust office

SC Magazine: Germany bans Facebook from combining user data without permission

BBC: Facebook ordered by Germany to gather and mix less data


--Reverse Engineer Examined a Smart Sprinkler Controller and Found Pretty Decent Security Baked In

(January 29, 2019)

Tenable Reverse Engineer Joseph Bingham assessed the potential attack surface of the Rachio smart sprinkler controller, which allows users to control their yard sprinklers from their smartphones. Bingham writes that the Rachio device implements some basic but very important security steps to raise the bar for exploitation: firmware and filesystem encryption, limited debug interfaces (no shell access), service-level authentication, and communication encryption.

[Editor Comments]

[Pescatore] Always good to see one positive story around cybersecurity! We dont have automated sprinklers at our house but Im tempted to put them in just so I can buy the Rachio controller to support their due diligence. Shane Miller, a cybersecurity consultant in Australia who is also a popular YouTube cycling equipment reviewer, just did a less positive review of the new wireless bike shifters on the market. The more consumer-oriented reviews highlight security/privacy issues, the more the market will demand them.

[Ullrich] Very nice news item, and glad to see that this gets some exposure. We are always seeing stories about yet another default password vulnerability in IoT devices. Nice to see a device highlighted for what it does right.

Read more in:

Medium: Reversing the Rachio Smart Sprinkler Controller

****************************  SPONSORED LINKS  ******************************

1) Learn how network traffic analysis can provide the context needed to empower analysts to quickly investigate incidents and get definitive answers. Register:

2) Learn to identify, remediate and eradicate attackers as well as tips for successfully using deception techniques, including traps and lures. Register:

3) Don't Miss "Taking SIEM to the Cloud: A SANS Review of SNYPR by Securonix" with Dave Shackleford. Register:




--Airline eTicket Bugs Expose Customer Data

(February 6 & 7, 2019)

According to research from Wandera, several airlines use electronic ticketing systems that expose passenger data, including names, flight numbers, boarding passes, and passport numbers. The vulnerability lies in a check-in link that the companies send to passengers; the link includes embedded passenger data. Wandera notified the affected airlines several weeks ago. 

[Editor Comments]

[Murray] This is an interesting and pervasive vulnerability without an organized threat. The lesson is that business transaction data in the public networks should always be encrypted. While rarely easy to set up, once set up, encryption is effective and efficient.

Read more in:

Wandera: Are airlines putting your data at risk?

eWeek: Major Airlines at Risk From Check-In System Flaw, Wandera Reports

Dark Reading: Some Airline Flight Online Check-in Links Expose Passenger Data

Cyberscoop: E-ticketing system exposes airline passengers' personal information via email

Threatpost: Flaw in Multiple Airline Systems Exposes Passenger Data


--Chinas APT10 Hacking Group Targeted Managed Service Provider, Law Firm

(February 6, 2019)

According to a joint report published by Rapid7 and Recorded Future, the Chinese hacking group known as APT10 broke into networks and stole information from Norwegian cloud services managed service provider (MSP) Visma, an international clothing company, and a US law firm that specializes in intellectual property law. The attacks occurred between November 2017 and September 2018.

Read more in:

Recorded Future: APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign: Intrusions Highlight Ongoing Exposure of Third-Party Risk

SC Magazine: Report: Chinese cyberspies hacked MSP, retailer and law firm in economic espionage campaign

ZDNet: China hacked Norway's Visma cloud software provider

The Hill: Researchers say Chinese hackers carried out attacks on US, European firms

Reuters: China hacked Norway's Visma to steal client secrets: investigators


--South African Eskom Power Company Data Breach

(February 6, 2019)

South African energy company Eskom suffered a data breach involving an exposed database and data-stealing Trojan. The compromised data include company network credentials, customer information, and sensitive company data. Eskom was at first reluctant to acknowledge the situation, but has since said that Eskoms Group IT is conducting investigations to determine whether sensitive Eskom information was compromised as a result of this incident. We will comment fully once the investigation is concluded. Eskom provides 95 percent of South Africas power and provides power to other African countries as well.

[Editor Comments]

[Paller] Canary in the coal mine.

[Murray] It is fair to say that one does not target 95% of a countrys electric power for the money. This is an existential breach for the nation.  

Read more in:

Bleeping Computer: Power Company Has Security Breach Due to Downloaded Game

Silicon: South African Power Firm Eskom Fails To Secure Customer Data


--Senator Asks Census Bureau to Answer Questions About Cost, IT Oversight, and Disaster Recovery

(February 6, 2019)

In a letter to US Census Bureau Director Steven Dillingham, Senator Mike Enzi (R-Wyoming) notes that more than half of the 58 positions in the office that oversees the key technology integration contractor are unfilled. Enzi poses questions regarding filling these vacancies, the Bureaus plan to test IT systems and address weaknesses, the Bureaus disaster recovery plans in the event of a cyber attack or service disruption, and how the Bureau intends to keep census costs under control. Enzi seeks a response in writing by Friday, February 15, 2019.

[Editor Comments]

[Henry]  [Three different SANS NewsBites items in this issue relate to problems the federal government is facing with cybersecurity (Houston Cyber Exercise Reveals Questions About Coordination and Jurisdiction; Report: DOD Red Teams Are Overworked and Lack Time to Develop New Tools); Ill comment on this one, but my thoughts apply equally to each of these issues.] The US government is an organization with tremendous resources, capabilities, and expertise. The problems found in one department or agency, whether it be the Census Bureau, DHS, or DOD, apply to the others. The same adversaries, with the same motivation and using the same TTPs, are attacking all the Departments. Departments cannot and should not be addressing these problems unilaterally, independent of coordination across other Departments. It is inefficient, ineffective, and dangerous. Rather, there needs to be a COMPREHENSIVE and focused US government strategy that leverages the tactics, resources, and expertise of all Department in a coordinated and collaborative way. The US Government has done this previously, ten years ago, through the CNCI. It marshalled the resources of every agency in a focused fashion, with centralized accountability, visibility, and execution. It was funded by Congress in excess of $10 billion dollars, and it actually worked. Its shocking to me that, more than ten years later, weve reverted, even as the threats loom larger. The inability of the US Government to reconstitute the CNCI or develop a similar comprehensive plan across all Departments does not bode well for the United States.

Read more in:

Fedscoop: Sen. Mike Enzi has some IT questions for the new head of Census

Budget.senate: Enzi Letter to Dillingham


--Houston Cyber Exercise Reveals Questions About Coordination and Jurisdiction

(February 6, 2019)

In July 2018, the city of Houston, Texas conducted a critical infrastructure cybersecurity resilience exercise. The drill revealed gaps in jurisdiction between local and federal authorities jurisdiction. Houston Police Department Chief Technology Officer Mike Bell said that it is difficult to determine who to notify as signs of an attack emerge. The Department of Homeland Securitys (DHSs) Cybersecurity and Infrastructure Security Agency (CISA) is working to create a visible logical, useful connection for industry, and state and local governments.

[Editor Comments]

[Paller and Murray] Revelations such as this are one of the reasons for conducting such drills and exercises. So far, ISACs have proven to the most successful model for connecting industry and government.

[Neely] When testing disaster recovery plans, be sure that all parties are at the table to confirm assumptions. In this case the city learned their assumptions of DHS response were overstated and that they didnt have the correct contact information. Verifying and updating before a true crisis is critical.

Read more in:

FCW: Cyber exercise shows need for closer federal-state coordination


--Vendor Allegedly Assaulted Researcher After Vulnerability Disclosure

(February 5 & 6, 2019)

A vendor allegedly physically attacked a researcher after the researcher disclosed a vulnerability in the vendors product at a conference in London, UK earlier this week. The incident was reported to police. The researcher reportedly made good faith attempts to notify the vendor about the security issues months ago.

Read more in:

SecJuice: Researcher Assaulted By A Vendor After Disclosing A Vulnerability

CSO Online: Vendor allegedly assaults security researcher who disclosed massive vulnerability


--Chrome Password Checkup Extension Warns Users When Credential Pairs Have Been Leaked

(February 5 & 6, 2019)

A new extension for Googles Chrome browser checks to see if username/password combinations used in login forms have been leaked online. If the credential pair is flagged as being leaked, Chrome users will see a red warning pop-up box suggesting that they change that password. Firefox introduced the Firefox Monitor feature last November. It displays a one-time alert recommending users change their passwords when they visit websites that have been breached within the past 12 months.

[Editor Comments]

[Pescatore] The Google support site says, Password Checkup works when youre signed in to the Chrome browser on a computer. And elsewhere says installing the extension means you agree to Googles Privacy Policy and Terms of Service, which just apparently changed again on 22 January. If I sign in to Chrome, I am automatically signed into every other service (like Google Search) that Google owns. Per my comments on the item above, my privacy mistrust of Google and other large Internet advertising giants means I wont take advantage of this service; Ill stick with less intrusive alternatives like alerts from Have I Been Pwned.

Read more in:

Wired: A New Google Chrome Extension Will Detect Your Unsafe Passwords

SC Magazine: Google adds Password Checkup Chrome extension

ZDNet: Google releases Chrome extension to check for leaked usernames and passwords

CNET: How to use Google's new Password Checkup tool


--Microsoft Exchange Flaw

(February 5 & 6, 2019)

A privilege elevation vulnerability in Microsoft Exchange Server could be exploited to impersonate authenticated users and obtain administrative privileges. It is exploitable by launching a man-in-the-middle attack to send an authentication request to Microsoft Exchange Server. In its security advisory, Microsoft notes that an update is being developed but is not yet available; the advisory includes suggested mitigations.

Read more in:

Threatpost: Microsoft Confirms Serious PrivExchange Vulnerability

US-CERT: Microsoft Releases Security Advisory for Exchange Server

MSRC: ADV190007 | Guidance for "PrivExchange" Elevation of Privilege Vulnerability


--Androids February Security Bulletin

(February 5, 2019)

Googles February Security Bulletin for Android will include fixes for 11 critical vulnerabilities, including one that could be exploited to execute arbitrary code by sending a maliciously crafted PNG file to a targeted device. According to the bulletin, Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository.

[Editor Comments]

[Neely] The patches have been ported to the Android version 7 through 9 repositories. Once the update finishes QA from the manufacturers and mobile providers, it will be available for OTA deployment. If your device is no longer getting security updates from your provider, or is running an OS older than 7 you will need to replace it.

Read more in:

Threatpost: Google Patches Critical .PNG Image Bug

Android: Android Security BulletinFebruary 2019


--Report: DOD Red Teams Are Overworked and Lack Time to Develop New Tools

(February 5, 2019)

According to the DODs annual Director of Operational Test & Evaluation report, there remains a gap between DOD cyber Red Team capabilities and the advanced persistent threat, and assessments that do not include a fully representative threat portrayal may leave warfighters and network owners with a false sense of confidence about the magnitude and scope of cyber-attacks facing the Department.

Read more in:

Fifth Domain: The Pentagons red team hackers need more time, personnel and money

Nextgov: The Teams Who Test US Cyber Defenses Arent Being Tough Enough: Pentagon Report

DOTE: FY18 Cybersecurity: Cyber Assessments (PDF)




Mitigations against Mimikatz Style Attacks

DNS "Lookingglass"

LibreOffice Macro Vulnerability

Firefox 65 Breaks HTTPS AV Scanning

RDP Client Vulnerabilities

Android Monthly Security Update

Skia Graphics Library Vulnerability

Hancitor HelloFax Malspam

Value of UAC

Google Chrome Password Check

Apple Releases Facetime Patch

Skype Video Now Allows For Blurred Background

Microsoft Exchange Server Advisory


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit